CVE-2019-13179
HIGHCalamares 3.1-3.2.10 - Unprotected User Data Exposure via Insecure Keyfile Permissions
Title source: llmDescription
Calamares versions 3.1 through 3.2.10 copies a LUKS encryption keyfile from /crypto_keyfile.bin (mode 0600 owned by root) to /boot within a globally readable initramfs image with insecure permissions, which allows this originally protected file to be read by any user, thereby disclosing decryption keys for LUKS containers created with Full Disk Encryption.
References (8)
Core 8
Core References
Third Party Advisory x_refsource_misc
https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1835096
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1835095
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/calamares/calamares/issues/1191
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1726542
Vendor Advisory x_refsource_confirm
https://calamares.io/calamares-3.2.11-is-out/
Vendor Advisory x_refsource_confirm
https://calamares.io/calamares-cve-2019/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q57BOTBA2J5U4GVKUP7N2PD5H7B3BVUU/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2ZDQRGBGRVRW5LPJWKUNS3M66LZ3KYC/
Scores
CVSS v3
7.5
EPSS
0.0209
EPSS Percentile
79.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-522
Status
published
Products (1)
calamares/calamares
< 3.2.10
Published
Jul 02, 2019
Tracked Since
Feb 18, 2026